[dns-operations] FireEye reports long-running DNS hijacking campaign

Bill Woodcock woody at pch.net
Sat Jan 12 18:29:15 UTC 2019


>> The quick summary, threat-actors are breaking into the registrar and (it appears) the primary servers.

No, neither of those is correct.  This is a simple DNS hijack, using already-established mechanisms, or compromised credentials.

>> They then set up long term MITM interceptions through proxies.

Only if you consider “one hour” to be long-term.

>> It is not really a “hijack.”

It is a hijack of both DNS and IMAP, by any definition I’m familiar with.

> They revert to the regular A or NS records as soon as they have intercepted what they want, likely to reduce the chance of exposure.

That is correct.

Again, DNSSEC validation was the _only_ method that protected anyone in this attack.  Though of course DANE would have as well, had it been available.

The unavailability of those two things (client DNSSEC validation and DANE) on end systems was, ultimately, why these attacks succeeded, and Apple Product Security has been very responsive, now that they’ve seen it in action.

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190112/f4b252e5/attachment.sig>


More information about the dns-operations mailing list